Re: [Puppet Users] Can puppetdb use an SSL cert signed by CA that differs from the puppetmasters?

Fri, 15 Nov 2013 12:22:57 -0800 

Following up: http://projects.puppetlabs.com/issues/23180

Thanks again.  I think I spent enough time to figure out how I can hack 
this in the short term, though would love to see this accepted!  I'm happy 
to provide the hack diff that we'll use, though I am positive that you'd 
not want to just merge that.  This is probably my second time writing any 
Ruby code :)

Thanks,
Hans

On Friday, November 15, 2013 1:34:16 PM UTC-5, Hans Lellelid wrote:
>
>
>
> On Friday, November 15, 2013 1:30:53 PM UTC-5, Ken Barber wrote:
>>
>> > What you're saying makes perfect sense -- regarding this being 
>> something 
>> > that the puppetdb-terminus stuff does and making it an option in 
>> > puppetdb.conf, etc. 
>> > 
>> > Yeah, I'm looking through the code (doesn't help that my knowledge of 
>> Ruby 
>> > is very limited) and I see that the http_pool.rb configures the ssl 
>> stuff 
>> > setting ca_cert = Puppet[:localcacert].  That defaults to 
>> > $certdir/certs/ca.pem.  I've tried also explicitly specifying it in the 
>> > config file, but to no avail. I still get the verify failure, although 
>> doing 
>> > this manually in irb is working: 
>> > 
>> > require 'net/https' 
>> > http = Net::HTTP.new('puppetdb.<domain>', 443) 
>> > http.use_ssl = true 
>> > http.ca_file = '/var/lib/puppetmaster/ssl/certs/ca.pem' 
>> > # (I concatenated the global CA onto the end of ca.pem) 
>> > http.verify_mode = OpenSSL::SSL::VERIFY_PEER 
>> > http.send('get', '/') 
>> > #<Net::HTTPFound 302 Found readbody=true> 
>> > 
>> > I validated that pointing at the original ca.pem file fails as 
>> expected.  So 
>> > I'm a little confused as to why puppetmaster isn't succeeding after I 
>> > modified that file.  Perhaps there's some additional verification 
>> happening. 
>> > I'll probably give up soon :) 
>>
>> Can you capture your feature requirements in redmine for us? 
>>
>> http://projects.puppetlabs.com/projects/puppetdb 
>>
>> ken. 
>>
>
> Will do.
>
> Thanks! 
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/d3dd54b7-1ef0-428d-af6d-bc3da8a31c53%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to